Wireless Networks enjoy a high popularity as an attractive tool for people to access the Internet. This way of accessing the internet is continuously gaining popularity mainly due to the wide spread and increasing usage of wireless equipped modern customer equipment such as mobile phones, smartphones, laptops, netbooks, tablet computers, game consoles, digital cameras, printers, digital video cameras, digital music players, etc. These modern devices access the Internet by help of a variety of different wireless networks and network classes.
A first exemplary class are those networks operating in licensed frequencies. These networks are generally operated using technologies such as Global System For Mobile Communication (commonly known as GSM), WCDMA (commonly known as 3G), WiMax and LTE (both commonly referred to as 4G). An organization wishing to deploy and operate customer equipment using these frequencies needs to obtain a license from a competent authority (typically the telecom regulator) in the geography in which they wish to operate. These technologies are typically suitable for deployment of a data service over larger geographic areas and are generally operated and owned by companies as public Wide Area Networks (WAN's) with users paying for access. However, these networks have a relatively slow data transmission speed.
A second exemplary class of wireless network are those operating in unlicensed frequencies. These classes of networks are generally operated using technologies such as those specified in IEEE 802.11 standard (commonly known as Wi-Fi) or in Bluetooth. The owner of customer equipment operating in the respective frequencies being specified in these standards does not need to obtain a license for its use as long as the equipment is in conformity with the specifications. These technologies are typically suitable for networking over a smaller geographic area. As a result, unlicensed wireless networks have found popularity as a way for private persons and companies to extend their existing fixed line Local Area Network (LAN) and Internet connection creating a Wireless Local Area Network (WLAN). These networks are typically privately owned and operate within a single geographic footprint, typically a company's offices or a private residence. These WLAN networks have relatively high data transmission speeds. Once the owner of a WLAN has purchased the networking equipment they typically do not need to pay for the use of the wireless network anymore. The only remaining expenses are those for maintaining the fixed line Internet connection to the WLAN.
In a typical WLAN installation based on Wi-Fi, a residential or business user maintains an active Internet connection, thereby providing the bandwidth needed for wireless Internet connectivity. Although simple dial-up connections to the Internet may function to provide wireless connectivity, a high-speed internet connection, e.g. via a digital subscriber line (DSL), cable television service, T1-line or the like, is preferable.
In addition, a combination of hardware and software is installed for providing WLAN connectivity. E.g. computers or computing device(s) are supplied with Wi-Fi adapter(s) that are essentially low powered radio devices. Commonly, a WLAN router that provides an access point (also referred to as a gateway or access point) are applied, wherein the WLAN router manages the communication among the connected devices, e.g. further computers or notebooks and further provides a connection to the Internet for these devices. The connected computers or mobile devices and the gateway typically require a configuration to provide its functionality. Once properly configured, the mobile devices and computing devices equipped with Wi-Fi adapters can access the Internet without the need for a hardwire connection.
FIG. 1 illustrates a typical prior art Wi-Fi based WLAN network scenario, wherein a plurality of devices are configured to transmit and/or receive data while communicating with the Internet via a WLAN.
FIG. 1 exemplarily shows a plurality of mobile devices 101A to 101E, e.g. a laptop computer 101A, a tablet computer 101B, a smart phone 101C, a digital camera 101D and a digital media player 101E. Each device is suitably equipped to connect to the Wi-Fi WLAN including both, networking software and suitable hardware, i.e. a radio transmitter/receiver typically compatible with the IEEE 802.11 standards. Each of the mobile devices 101A to 101E communicates with an access point 102 using radio-based communication in compliance with the IEEE 802.11 standards 103. As a part of these standards, the access point 102 broadcasts a unique identifier as identification data, typically known as the SSID. This allows each mobile unit 101A to 101E to identify the access point 102 and to connect to a preferred access point 102 in case there is a plurality of access points 102 within the transmitting range of the respective mobile unit 101A to 101E.
The access point 102 is connected via a cable to a router 104 which provides the core switching and routing functionality for the WLAN network. Optionally, the router 104 is connected to further computer units 108, for example a personal computer using wired connections. The router 104 enables the wirelessly connected mobile units 101A to 1010E both, to communicate with each other and to communicate with the further computer units 108.
In order to provide Internet connectivity to the mobile units 101A to 101E—communicating via the WLAN—as well as to the computer units 108, the router 104 is connected to a modem 105, preferably via a cable link. The modem 105 in turn is connected to the network of an Internet Service Provider (ISP) 106 that is further connected to a global communications network, typically the Internet 107.
In some configurations, the access point 102, the router 104 and the modem 105 may be discrete hardware units. In other implementations, a combination of more than one of the access point 102, the router 104 and the modem 105 may be implemented into a single hardware device. Typically, a combined router 104 and modem 105 is provided.
An operator of a Wi-Fi network typically has the choice between two modes of operation with regards to authenticating of the mobile units 101A to 101E if they connect to the access point 102.
First, an unencrypted mode of operation may be selected. The operator configures the access point 102 to communicate using an unencrypted signal. In this mode, the access point 102 broadcasts the SSID to any suitably equipped mobile unit 101A to 101E that in turn may freely establish a wireless connection to the access point 102.
According to a second option, an encrypted mode is applied for wireless communication. In this encrypted mode, the operator configures the access point 102 to communicate with the mobile units 101A to 101E using an encrypted signal. In this mode of operation the access point 102 still broadcasts the SSID unencrypted but for establishing a connection to the access point 102, the mobile unit 101A to 101E must provide a password that has been set by the operator of the WLAN network. A mobile unit 101A to 101E that is not able to provide the correct password is not able to establish a connection with access point 102. Once the password is successfully presented to the Wi-Fi access point, the connection to the mobile unit 101A to 101E is encrypted. A number of suitable protocols are commonly used for communicating and authenticating the password and for encrypting the communication. Suitable encryption technologies are e.g. WEP or WPA.
Each mode of operation has several advantages and disadvantages. The unencrypted mode of operating the network access point 102 maximises the utility of the WLAN access point and will allow a maximum number of mobile units 101A to 101E to be able to access the resources provided by the Wi-Fi access point including access to the Internet 107. However, this mode of operation creates a security problem since the operator is unable to control which mobile unit 101A to 101E accesses the network resources. Thus a malicious user of a mobile unit 101A to 101E may be able to gain access to mobile units 101A to 101E, to computer units 108 and to the Internet 107 as well. This access may be used for malicious or criminal purposes. For example, credit card details being stored on computer units 108 may be spied out or the Internet 107 may be applied for illegal download of copyrighted music files.
The Encrypted mode of operation may resolve some of the problems of the unencrypted mode. The operator of the access point 102 can set a password and distribute the password to trusted parties only. As a result, access to further mobile units 101A to 101E, to computer units 108 and to the Internet 107 is restricted to trusted third parties. However, there are mainly two disadvantages when operating the access points 102 in this mode. First, the service of the WLAN network is reduced. Access to its resources is denied for any mobile unit 101A to 101E that is not able to present the right password. Even for non malicious users, access may be denied. Second, there is no guarantee to the operator/owner of the access point 102 that a party to whom he or she has provided the password does not intentionally or otherwise communicate the password to a malicious third party and thereby violates the security provided by the password.
Both modes of operation have further security problems in common. E.g., they don't validate which mobile unit 101A to 101E is connected to the access point 102. In other words, the mobile unit 101A to 101E is not identified. The encrypted mode denies access without having a password, however, it does not differentiate between each of the mobile units 101A to 101E. This has implications on the network's security. The Internet service provider (ISP) 106 typically allocates a single IP-address to the modem 105 and the WLAN network operates as a private subnet. As a result, the ISP 106 is not capable of differentiating between communications traffic from different mobile units 101 or from the computer unit 108. The ISP will only be able to identify all traffic as relating to modem 105. If the user of a mobile unit 101A to 101E uses the Internet 107 for criminal purposes, from the perspective of the ISP 106, the illegal traffic will have originated from the private subnet of modem 105. Since the encrypted mode does not differentiate between the mobile units 101A to 101E, even the operator of the WLAN network is not able to identify the malicious user. In much legislation the operator of the modem 105 can be held legally responsible for the malicious use of the connection provided by the ISP 106.
Despite the aforementioned shortcomings, the use of the encrypted mode of operation has become increasingly popular. As a result, a user of a mobile unit 101A to 101E will typically utilise a small number of encrypted WLAN networks only, e.g. at home or at work. In places between these two locations, whilst the mobile unit 101A to 101E may be within the transmitting range of further WLAN networks, the mobile unit will have no network access since the user will generally not have the necessary passwords required for accessing the further WLAN networks. As a result the mobile unit 101A to 101E will not be able to access the resources of those WLAN networks and will have access to the Internet 108 using a wide area network (WAN) such as 3G only, if the mobile unit is suitably equipped. If there is no WAN present or if the mobile unit is not suitably equipped, it won't be able to connect to the Internet at all. The WAN network typically provides a lower data rate with resultant lower utility of the mobile unit 101A to 101E and will further incur access fees.
As a result and in order to maximise both, the utility of the mobile unit 101A to 101E and to reduce access charges, it is desirable to allow mobile units to access a larger number of the available WLAN networks. However, for this purpose, the mobile unit has to store a plurality of passwords to be capable of connecting to a larger number of WLAN networks.
There are several approaches known in the prior art that would allow a user of a mobile unit 101A to 101E to access a larger number of WLAN networks without the inherent weaknesses of using an unencrypted network.
According to a prior art solution the operators of Wi-Fi based WLAN networks share the passwords of their access points 102. The operator of the access point 102 provides the password and the SSID of the access point 102 to other users of mobile units 101A to 101E via a database. A copy of this database is stored in each of the mobile units 101A to 101E. If the mobile unit 101A to 101E attempts to connect to an encrypted access point 102, it searches the copy of the database and if a password is found for the respective SSID of the access point 102, it uses the respective password to establish a connection to the access point. However, this approach has a number of drawbacks. First, since the mobile unit 101A to 101E stores the SSIDs and access passwords for a plurality of access points, there is a risk that the respective access information will be misused by a malicious user. Second, this technical approach does not solve the problem of differentiating between the different mobile units 101A to 101E, i.e. identifying them and the operator of the WLAN network may be still exposed to a legal threat of malicious use of the Internet 107. Third, the solution does not prevent access to the computer units 108 by a malicious user of a mobile unit 101A to 101E.